cve-2026-23357

CVE-2026-23357 is a Linux kernel vulnerability in the SocketCAN mcp251x driver, used for Microchip MCP251x and MCP25625 SPI-based CAN controllers. The issue is a deadlock in the error-handling path of mcp251x_open(), where free_irq() is called while the driver's mcp_lock mutex is still held. Under specific timing conditions, an interrupt can occur before the driver finishes unwinding from a failed open operation, causing the interrupt handler to wait on the same mutex, leading to a kernel hang. This vulnerability affects availability and is relevant to systems using these CAN controllers, such as embedded or automotive Linux environments.